This invention relates generally to network security and, more particularly, relates to the use of a distributed firewall to protect network applications and resources against unauthorized access.
A firewall is traditionally utilized to control access to a computer network and to log any successful or attempted access to the network. Potentially threatening accesses will typically originate from the Internet, and thus the traditional firewall is installed at the point of connection between the computer network to be protected and the Internet. This method has been used to protect wide area networks (WANS) and local area networks (LAN""s), and combinations of the two, as well as other types of networks. A local area network is a collection of computers and devices all connected to a common bus. Communications within a LAN are by a broadcast method, whereby all entities on the bus can receive the message, but only the addressed entity retains the information. Communications within a WAN are by a point-to-point method, whereby only the addressed recipient receives a particular communication. The LAN communication protocol is much faster, but is limited to relatively small distances whereas the WAN protocol is slower but may be used over great distances. Both LAN""s and WAN""s may be connected to the Internet.
Information transported by the Internet may be classified into subgroups called sessions, and sessions may be further divided into subgroups called packets. A packet is the most basic Internet transportation unit of information; a packet contains sufficient information to be routed to the correct destination service and to allow the destination service to reply to the source system. The source port number typically does not indicate the source application, while the destination port number may reveal valuable information about the destination service. This is because, by convention, standard network services usually have fixed port numbers. For example, the Telnet program typically is assigned port number 23. A session is a group of packets that have the same address information.
This distinction is important to some types of traditional firewalls, called session-aware firewalls. These firewalls are able to recognize that an incoming packet is part of an authorized session, such as perhaps a session originating from behind the firewall, and to act accordingly. Whether or not a firewall is aware of session information, in order to be effective it should at least be able to access and understand the address information contained in each packet. For example, one general class of firewall called a packet filter firewall simply uses filtering rules in conjunction with the packet address information to decide whether to pass or block a packet.
An application-level gateway is a type of firewall which utilizes session-awareness functionality. In contrast to packet filtering firewalls, an application-level gateway does not allow any packet to directly pass across the firewall. Rather, the application-level gateway requires that the connection be made through an application proxy running on the firewall itself. A major limitation of application-level gateways is that they require the installation at the firewall of a separate proxy application corresponding to each network service desiring to cross the firewall. While some application-level gateways avoid this problem by providing a generic proxy for unsupported applications, this technique decreases the security provided by such a firewall to approximately that provided by a bare packet filtering firewall, and allows much less speed than a bare packet filtering firewall. Further decreasing the efficacy of all traditional perimeter firewalls, including application-level gateways, is the fact that once penetrated, perimeter firewalls provide no more security to the network. Furthermore, traditional perimeter firewalls guard only a known gateway, and hence do not protect against access through an alternative gateway such as a modem connected to a machine within the network.
It is known to place a series of firewalls at the perimeter of a network to provide added intrusion resistance and to provide advance notice to an administrator of an intrusion before the last firewall is breached. This type of serially cascaded firewall, while potentially more effective than those mentioned above, does not solve the problem of intrusions through alternative gateways. Furthermore, these firewalls are generally also not easily customizable, and may serve to further decrease the transmission speed of the firewall. Still further, while a cascaded firewall may make a first successful unauthorized access to the network more difficult, once such access is achieved the entire network is rendered vulnerable.
From the foregoing, a firewall is needed which may be tailored to individual applications, which does not render the entire network vulnerable after one successful unauthorized access, and which substantially prevents circumvention through unknown gateways.
In accordance with this need, the present invention is generally realized in a method and system of network security using an application specific distributed firewall. In the utilization of the invention, a series of application wrappers are placed around individual applications throughout a protected network. Each wrapper is registered with a registry server in such a way as to be associated with a group of other application wrappers. In this manner, when any application is compromised, the wrapper associated with that application may notify the registry server which may in turn notify the wrappers belonging to the same group as the compromised application""s wrapper. Subsequently, the notified group member wrappers may modify their local rules file to eliminate communication between their secured application and the compromised application, thus substantially preventing the entire network from being compromised after an unauthorized access to one application. Furthermore, because the firewall of the present invention is distributed, it generally prevents unauthorized access via known and unknown gateways alike.